Congressional Record: March 28, 2007 (Senate)
Page S4039-S4042
NSL INSPECTOR GENERAL REPORT
Mr. FEINGOLD. Mr. President, I wish to speak today about the recent
report by the inspector general of the Department of Justice on the
FBI's use of national security letters. According to the inspector
general's testimony before the Judiciary Committee, there was
``widespread and serious misuse of the FBI's national security letter
authorities''--misuse that violated statutes, Attorney General
guidelines, and internal FBI policies. I was deeply concerned by the
findings in that report. Unfortunately, I was not surprised.
The national security letter, or NSL, authorities were dramatically
expanded by Sections 358 and 505 of the PATRIOT Act. Unfortunately, in
its haste to pass this flawed legislation, Congress essentially granted
the FBI a blank check to obtain some very sensitive records about
Americans, including people not under any suspicion of wrong doing,
without judicial approval. So it is not surprising that the inspector
general identified serious problems with the implementation of these
broad authorities. Congress gave the FBI very few rules to follow. As a
result, Congress shares some responsibility for the apparently lax
attitude and in some cases serious misuse of these potentially very
intrusive authorities by the FBI.
This inspector general report proves that ``trust us'' doesn't cut it
when it comes to the Government's power to obtain Americans' sensitive
business records without a court order and without any suspicion that
they are tied to terrorism or espionage. It was a grave mistake for
Congress to grant the Government broad authorities and just keep its
fingers crossed that they wouldn't be misused. We have the
responsibility to put appropriate limits on Government authorities--
limits that allow agents to actively pursue criminals and terrorists
but that also protect the privacy of innocent Americans.
But let me back up a few steps. What are NSLs, and why are they such
a concern? I am going to spend a little time on this because it is
important. I believe there should be a legislative response to this
report, so I want my colleagues to understand what we are dealing with
here.
National security letters are issued by the FBI to businesses to
obtain certain types of records. So they are similar to the
controversial section 215 business record orders but with one very
critical difference. While section 215 involves an application to the
FISA Court, the Government does not need to get any court approval
whatsoever to issue NSLs. It doesn't have to go to the Foreign
Intelligence Surveillance Court or any other court and make even the
most minimal showing. Under the PATRIOT Act, the FBI can simply
[[Page S4040]]
issue the order signed by the special agent in charge of a field office
or some other supervisory official--although we now know that many NSLs
were issued without even the signatures required by the PATRIOT Act.
Prior to the PATRIOT Act, the FBI had to certify specific and
articulable facts giving reason to believe that the records sought with
an NSL pertained to a terrorist or spy.
But the PATRIOT Act expanded the NSL authorities to allow the
Government to use them to obtain records of people who are not
suspected of being or even being connected to terrorists or spies. The
Government need only certify that the documents are either ``sought
for'' or ``relevant to'' an authorized intelligence investigation, a
far-reaching standard that--even if followed closely, which we now know
it was not--could be used to obtain all kinds of records about innocent
Americans. Indeed, as the inspector general suggested, it could be used
to ``access NSL information about parties two or three steps removed
from their subjects without determining if these contacts reveal
suspicious connections.'' And just as with section 215, the recipient
is subject to an automatic, permanent gag rule.
NSLs can be used to obtain three categories of business records,
while section 215 orders can be used to obtain ``any tangible things.''
But even the categories reachable by an NSL are quite broad, and the
PATRIOT Act and subsequent legislation expanded them further.
Specifically, NSLs can be used to obtain the following: First,
subscriber and transactional information related to Internet and phone
usage, including information about the phone numbers and e-mail
addresses that an individual is in communication with. Second, full
credit reports. Prior to the PATRIOT Act, the FBI could not get a full
credit report without obtaining a court order--it could only obtain
what is called ``credit header'' information, which includes name,
current and former addresses, current and former places of employment,
and the names of financial institutions at which the individual has
accounts. But the PATRIOT Act expanded that authority to include full
credit reports, which generally include many personal details about
loans, credit scores, and other aspects of individuals' financial
situations. And the third category is financial records, a category
that includes bank transactions but also was expanded in 2002 to
include records from all kinds of everyday businesses like jewelers,
car dealers, travel agents and even casinos.
Unfortunately, the PATRIOT Act reauthorization legislation that was
enacted last year--over my opposition--did nothing to address the
standard for issuing an NSL. It left in place the breathtakingly broad
``relevance'' or ``sought for'' standards. Not only that, but it left
in place the automatic gag rule for NSL recipients, albeit with a new
exception for notifying a lawyer.
What did the reauthorization legislation do with regard to NSLs?
Well, primarily it created the illusion of judicial review, both for
the letters themselves and for the accompanying gag rule. At a
Judiciary Committee hearing this week, the FBI Director pointed to this
after-the-fact judicial review provision as a privacy protection for
NSLs. But if you look at the details, it was drafted in a way that
makes that review virtually meaningless. With regard to the NSLs
themselves, the reauthorization permits recipients to consult their
lawyer and seek judicial review, but it also allows the Government to
keep all of its submissions secret and not share them with the
challenger, regardless of whether there are national security interests
at stake.
The other significant problem with the judicial review provisions is
the standard for getting the gag rule overturned. In order to prevail,
the recipient has to prove that any certification by the Government
that disclosure would harm national security or impair diplomatic
relations was made in bad faith. This is a standard of review that is
virtually impossible to meet.
Now, judicial review is not at issue in the IG's report, and indeed,
the chances that a business receiving an NSL would seek judicial review
rather than just comply are relatively slim, but I think it is
important to point out that even on the one issue that the
reauthorization legislation did address with regard to NSLs, judicial
review, the result was entirely inadequate.
I want to make one additional point about national security letters.
There is a crucial difference between obtaining records in national
security investigations and in standard criminal investigations. As the
General Counsel of the FBI testified before the House Judiciary
Committee last week, actions in national security investigations ``are
typically taken in secret and they don't have the transparency of the
criminal justice system.'' She explained that in the criminal system,
agents know that ``if they mess up during the course of an
investigation, they're going to be cross-examined, they're going to
have a federal district judge yelling at them.'' That means that more
vigorous controls and compliance mechanisms are needed with respect to
sensitive authorities like national security letters than their
analogues in the criminal justice system--something I think the
inspector general report demonstrates.
With that background, what did the inspector general find as a result
of his audit of the use of NSLs from 2003 to 2005? He found that even
the very limited protections in the existing statute were not being
followed.
The inspector general found, based on FBI records, that the FBI's use
of NSLs expanded exponentially after the PATRIOT Act, moving from
approximately 8,500 requests in 2000, to 39,000 requests in 2003,
56,000 requests in 2004, and 47,000 requests in 2005. The total number
of requests was 143,074 over the 3-year period.
But the inspector general also found that even those numbers are
inaccurate because the FBI had no policies in place with respect to the
retention or tracking of NSLs. In many cases, agents did not even keep
copies of signed NSLs. As a result, the FBI significantly undercounted
its NSL requests. In a sample of 77 case files that the IG looked at,
the NSL requests were undercounted by roughly 22 percent.
Although it is hard to know how much can be extrapolated from that
figure, if that figure holds throughout the Bureau, that could mean
that there were roughly 30,000 more NSL requests issued that the FBI
didn't keep track of. That is appalling--that the privacy rights of
Americans would be treated so cavalierly that there are potentially
tens of thousands of NSL requests out there that the FBI itself doesn't
even have a record of. And it resulted in inaccurate information being
reported to Congress about the use of NSLs, raising another grave
concern.
What else did the inspector general find? He found that the use of
NSL requests regarding U.S. persons--that is, citizens and legal
permanent residents--shifted from 39 percent of all NSL requests in
2003 to 53 percent of all NSL requests in 2005, at least with respect
to the NSL requests for which the FBI kept track of the U.S person
status of the target. And, until 2006, the FBI did not keep track of
how many NSL requests pertain to individuals who are not the subjects
of authorized national security investigations. Obviously, if the FBI
is using NSLs frequently to obtain information about people who are not
the subjects of open investigations, that would present serious
concerns about their use.
The inspector general also found that the FBI significantly
underreported violations of the NSL statutes and internal guidelines
from 2003 to 2005, with respect to notifying both the FBI's Office of
General Counsel, or OGC, and the President's Intelligence Oversight
Board, or IOB, as required by Executive order. FBI employees did report
26 violations to OGC, but the IG found examples of 22 more unreported
violations in 17 investigative case files out of a sample of 77
investigative files in 4 field offices.
Some of these were significant violations, others less so. But that
means that 22 percent of investigative files surveyed by the IG
contained one or more violations not identified by the FBI or reported
to the Intelligence Oversight Board, as required. According to the IG,
``we have no reason to believe that the number of NSL-related possible
IOB violations we identified in the four field offices was skewed or
disproportionate to the number of possible IOB violations that exist in
other
[[Page S4041]]
offices.'' Thus, the IG's findings ``suggest that a significant number
of NSL-related possible IOB violations through the FBI have not been
identified or reported by FBI personnel.''
What else did the inspector general find? Perhaps the most disturbing
revelation in his report, among many disturbing revelations, is that on
more than 700 occasions, the FBI obtained telephone toll billing
records or subscriber information from 3 telephone companies without
first issuing NSLs or grand jury subpoenas. Instead, it relied on what
it called ``exigent letters'' signed by personnel not authorized by
statute to sign NSLs. Although the Electronic Communications Privacy
Act does contain an emergency provision permitting the FBI to obtain
certain communications records in emergencies where there is an
immediate threat to a person's physical safety, many of these exigent
letters were issued, admittedly, in nonemergency circumstances. Indeed,
they were used as a matter of course by one headquarters unit. This
violated both the statute and internal FBI policy.
The inspector general also found that FBI headquarters issued more
than 300 NSLs without determining whether there was an authorized
investigation in progress. Issuing an NSL without tying it an
authorized investigation is a violation of the statute.
The inspector general also found that internal FBI guidance on how to
properly use NSLs was woefully lacking, and that even to the degree
there were FBI policies in place to govern the use of NSLs, those
policies were not being followed. In 60 percent of the 77 case files
that the IG examined in detail, there was some infraction of FBI
guidance. Sixty percent. That is absolutely astounding.
But that is not all. Once information is obtained through an NSL, the
Inspector general reported that the FBI retains it indefinitely and
uploads it into databases like the ``Investigative Data Warehouse,''
where it is retrievable by the thousands of authorized personnel, both
inside and outside the FBI, who have access to these types of FBI
databases. The FBI has no process for removing that information from
its databases depending on the results of the investigation. So if a
person's full credit report is obtained with an NSL as part of a
preliminary investigation and that preliminary investigation is closed
because the FBI determines that the person has done nothing wrong, it
doesn't matter--the FBI can keep it anyway.
Although the FBI keeps all the data it collects using NSLs, it does
not tag or mark that information to indicate that it was derived
through an NSL. So the FBI does not track whether information from NSLs
ends up in intelligence analysis products or is passed on to
prosecutors for criminal investigations. You would think that these
would be key indicators of the usefulness and effectiveness of NSLs,
but that information is not available, other than anecdotally.
That is what the inspector general's report told us. The report
revealed that the FBI took a shockingly cavalier attitude toward the
privacy of innocent Americans in its implementation of the PATRIOT Act
NSL authorities.
Congress meant for the inspector general's report to help it in its
oversight of the use of national security letters, which are issued and
enforced entirely in secret, and there is no question it has done that.
The inspector general deserves a great deal of credit for his thorough
and careful report. As I have already mentioned, much of the reporting
to Congress on the use of NSLs since the PATRIOT Act has been
inaccurate or misleading due to FBI recordkeeping problems, so having
the results of this independent audit is invaluable.
But the report also reveals that the Justice Department essentially
tried to whitewash this issue over the past several years. When
Congress was considering whether to make changes to the NSL authorities
as part of the PATRIOT Act reauthorization debate, the Attorney General
came to Congress and resisted any changes, touting the strength of the
checks on its power to obtain NSLs and assuring us that the power was
being used carefully.
On April 5, 2005, Attorney General Gonzales told the Senate Judiciary
Committee, ``[T]he PATRIOT Act includes a lot of safeguards that
critics of the Act choose to ignore.'' On November 23, 2005, the
Justice Department wrote Senators Specter and Leahy a ten-page letter
defending the FBI's use of National Security Letters, asserting that
``the use of NSLs is subject to significant internal oversight and
checks,'' and that there are ``robust mechanisms for checking misuse,''
and that ``[t]he FBI must and does conduct its investigations within
the bounds of our Constitution, statutes, strict internal guidelines,
and Executive Orders.''
On December 14, 2005, the Washington Post quoted Attorney General
Gonzales as saying, ``[T]he PATRIOT Act has already undergone extensive
review and analysis by Congress, by the DOJ Inspector General, and by
other bodies . . . This extensive review has uncovered not one verified
example of abuse of any of the Act's provisions.''
It is now quite evident that the Attorney General must not have been
looking very hard, and certainly not trying very hard to ensure the
protection of Americans' privacy rights. There is a lot going on right
now that suggests we should be skeptical of assurances from the Justice
Department, but this report highlights just how overtly political, and
how lacking in fact, were DOJ's representations regarding the
implementation of the Patriot Act.
Indeed, as recently as November 2006, the Justice Department
asserted--in response to an inspector general memo warning against the
potential for abuse of national security letters--that the FBI is
``aggressively vigilant in guarding against any abuse,'' a claim we now
know was simply false.
It is an understatement to say that the inspector general's report
uncovered serious flaws in the use of national security letters. But
these were flaws waiting to happen. It should not have taken this type
of highly critical report to convince Congress to do something about
such wide-ranging Government power.
In fact, a bipartisan group of Senators proposed changes to the NSL
statutes years ago, in the Security and Freedom Enhancement Act, or
SAFE, Act. I, along with Senators Craig, Durbin, Sununu, Murkowski,
Salazar, and many others, pushed for changes to the NSL statutes to try
to prevent precisely the types of abuses that have now come to light.
For example, the SAFE Act would have required that agents demonstrate
that the records pertain to a suspected terrorist or spy before the FBI
can issue an NSL, rather than the extremely loose standard in the
PATRIOT Act.
The SAFE Act also would have given the recipient of an NSL a
meaningful right to challenge the letter and the nondisclosure
requirement, and placed a time limit on the nondisclosure requirement,
which could be extended by the court. As is the case for FISA
authorities, the SAFE Act would have required notice to the target of
an NSL if the Government sought to use the records obtained from the
NSL in a subsequent proceeding and given the target an opportunity to
challenge the use of those records.
So the idea that the NSL statutes need to be revised is not new. But
the inspector general's report has now highlighted the need for
legislation and suggested some problems with the statutes that had not
previously been identified.
The time for changing the lax and unchecked system for issuing
national security letters is now. The hearings the Judiciary Committee
has held with the inspector general and the FBI Director have been
immensely helpful.
But we must not stop there. Legislation is needed. During the
reauthorization of the PATRIOT Act, we were unable to fix the NSL
statutes. The administration and its supporters even refused to put a
sunset on the NSL powers. So we need to act, and soon. I hope to work
closely with the bipartisan group of Senators who cosponsored the SAFE
Act. I plan to press for Senate action on sensible reforms to help
prevent future abuses of national security letters.
Let me say, in conclusion, that this report shows beyond doubt that
Congress made a grave mistake when it let this administration
intimidate us into silence and inaction rather than protecting the
rights and freedoms of the American people. The Justice Department's
credibility concerning the powers contained in the PATRIOT Act is in
[[Page S4042]]
shreds. Congress needs to exercise extensive and searching oversight of
those powers, and it must take corrective action. The inspector
general's report has shown both that current safeguards are inadequate
and that the Government cannot be trusted to exercise those powers
lawfully. Congress must address these problems and fix the mistakes it
made in passing and reauthorizing the flawed PATRIOT Act.
____________________